New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix #204: factor makeCred into reg & authn priv considerations #777
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me!
index.bs
Outdated
{{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}} methods need to take care to | ||
not leak information that could enable a malicious [=[RP]=] to distinguish between these cases, where "named" means that the | ||
[=public key credential|credential=] is listed by the [=[RP]=] in either {{MakePublicKeyCredentialOptions/excludeCredentials}} | ||
or {{PublicKeyCredentialRequestOptions/allowCredentials}}, as applicable: | ||
|
||
- A named [=public key credential|credential=] is not available. | ||
- A named [=public key credential|credential=] is available, but the user does not [=user consent|consent=] to use it. | ||
|
||
If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing for | ||
which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a | ||
failure response as soon as the user denies [=user consent|consent=] to proceed with the operation. In this case the [=[RP]=] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps change
as soon as the user denies [=user consent|consent=] to proceed with the operation
to something like this?
as soon as the user denies [=user consent|consent=] to proceed with an [=authentication=] [=ceremony=]
Seeing as the following sentence refers specifically to allowCredentials
, I mean.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
incorp'd a build on this suggestion, pls review
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I was trying to say is that the conclusion "at least one of the credentials listed in the allowCredentials parameter is available" is applicable only to the case of authentication ceremonies, not registration ceremonies. For registration ceremonies the conclusion is instead that the user has an authenticator that is not registered, which probably isn't as big a privacy concern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
@equalsJeffH can you finish the merge here ? |
incorp'd a build on suggestion #777 (comment), pls review |
fixes #204
see #204 (comment)
and #687 (comment)
and #687 (comment)
Preview | Diff